I am new to IDS. My understanding so far has been that IDS sits behind proxy servers and check the content of the packets for any malicious payloads. How IDS will work on SSL packets? Does it have the private key to decrypt it?
Asked
Active
Viewed 1,587 times
0
-
1I consider this question as too broad. IDS can be used in various use cases. Some of these might be to be placed behind a proxy but usually this is not the case. Also, SSL usually do only passive traffic inspection which means that it cannot do SSL interception. But in some special use cases the master key for TLS (or similar) might be fed into the IDS so that it can decrypt traffic. Or the decrypted traffic is fed to the IDS. I recommend that you study further the various meanings and use cases of IDS and how SSL interception works and then come back with more focused questions. – Steffen Ullrich Feb 24 '17 at 09:12
1 Answers
1
IDS can also work on IP source, destination and other factors, so those will still work on SSL.
If you have provided your IDS with private keys so it can decrypt, or in fact if your SSL endpoint is at the proxy then you can do content inspection as well.
Rory Alsop
- 61,367
- 12
- 115
- 320
-
Just a follow up question, Rory. Say, if I am using Facebook from my office network which does have IDS and proxy server well in place, and if I assume the SSL end point is the proxy server, the proxy server will decrypt the package and IDS will run it through its rules? Then will there be a different SSL connection from the proxy server to my browser? – one Feb 24 '17 at 08:05
-
Totally depends on your setup. Many companies do run full mitm, yes. – Rory Alsop Feb 24 '17 at 10:45